concrete5: SSRF thru File Replace

2017-06-27T23:09:52
ID H1:243865
Type hackerone
Reporter zuh4n
Modified 2018-01-06T23:11:36

Description

Hello Team,

Version: 8.2.0

Details: I have found a possibility of Server Side Request Forgery via file 'Replace' functionality. An attacker / malicious user is able to scan local network and able to enumerate open TCP ports. The root of cause of this vulnerability: - you are allowing to use localhost IPs in order to take a file; - different errors returning for success and fail requests, e.g. in case if TPC port is opened - server respond is following: Unknown mime-type: text/html; charset=UTF-8 or A valid response status line was not found in the provided string. In case when port is closed: Unable to connect to 127.0.0.1:1 . Error #0: stream_socket_client(): unable to connect to 127.0.0.1:1 (Connection refused)

Steps to reproduce: - Login at Dashboard by any user who is able (e.g. Admin group); - Navigate to Files > File Manager page; - Open Replace for any uploaded file > Add remote files; - I used following endpoints:

TCP Port 1 (closed) http://127.0.0.1:1 Unable to connect to 127.0.0.1:1 . Error #0: stream_socket_client(): unable to connect to 127.0.0.1:1 (Connection refused)

TCP Port 80 (open) http://127.0.0.1:80 Unknown mime-type: text/html; charset=UTF-8

TCP Port 3305 (closed) http://127.0.0.1:3305 Unable to connect to 127.0.0.1:3305 . Error #0: stream_socket_client(): unable to connect to 127.0.0.1:3305 (Connection refused)

TCP Port 3306 (open) http://127.0.0.1:3306 A valid response status line was not found in the provided string

PoC: {F198015}

Attack scenario: This feature can be used to launch SSRF attack to map the internal network. For example, this feature can be used to identify the internal open ports

Let me know in case if you have any questions.

Thanks, Stas